VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 29 of 42
  • CVE-2026-44520MedMay 14, 2026
    risk 0.30cvss 5.7epss 0.00

    Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without…

  • CVE-2023-6927MedDec 18, 2023
    risk 0.30cvss 4.6epss 0.01

    A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

  • CVE-2022-41965MedNov 28, 2022
    risk 0.30cvss 5.7epss 0.00

    Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to…

  • CVE-2022-36087MedSep 9, 2022
    risk 0.30cvss 5.7epss 0.01

    OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it…

  • CVE-2025-55207MedAug 15, 2025
    risk 0.29cvss epss 0.01

    Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would…

  • CVE-2020-36665MedMar 4, 2023
    risk 0.29cvss 5.5epss 0.01

    A vulnerability was found in Artesãos SEOTools up to 0.17.1 and classified as critical. This issue affects the function eachValue of the file TwitterCards.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this…

  • CVE-2020-36664MedMar 4, 2023
    risk 0.29cvss 5.5epss 0.01

    A vulnerability has been found in Artesãos SEOTools up to 0.17.1 and classified as problematic. This vulnerability affects the function setTitle of the file SEOMeta.php. The manipulation of the argument title leads to open redirect. Upgrading to version 0.17.2 is able to…

  • CVE-2020-36663MedMar 4, 2023
    risk 0.29cvss 5.5epss 0.01

    A vulnerability, which was classified as problematic, was found in Artesãos SEOTools up to 0.17.1. This affects the function makeTag of the file OpenGraph.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this…

  • CVE-2020-36627MedDec 25, 2022
    risk 0.29cvss 5.5epss 0.01

    A vulnerability was found in Macaron i18n. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file i18n.go. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 0.5.0 is able to…

  • CVE-2022-4589MedDec 17, 2022
    risk 0.29cvss 5.5epss 0.00

    A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched…

  • CVE-2026-46616MedJun 10, 2026
    risk 0.28cvss 5.4epss 0.00

    Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters…

  • CVE-2026-53440MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled…

  • CVE-2026-53437MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

  • CVE-2026-53436MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

  • CVE-2026-47991MedJun 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site.…

  • CVE-2026-45335MedMay 27, 2026
    risk 0.28cvss 5.4epss 0.00

    WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and…

  • CVE-2026-48924MedMay 27, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

  • CVE-2026-45448MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    CWE-601 URL redirection to untrusted site ('open redirect')

  • CVE-2026-42525MedApr 29, 2026
    risk 0.28cvss 4.3epss 0.00

    Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

  • CVE-2026-30346MedApr 27, 2026
    risk 0.28cvss 4.3epss 0.00

    An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL.